movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-12 05:16:25 +03:00
Code Activity

nixos/users-groups: Add assert on null shells (#279431)

Browse source
This commit is contained in:
Philip Taron 2025-03-07 12:54:52 -08:00 committed by GitHub
commit f041d52e7b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/config/users-groups.nix
View file

@ -557,6 +557,7 @@ let
sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid"; sdInitrdGidsAreUnique = idsAreUnique (filterAttrs (n: g: g.gid != null) config.boot.initrd.systemd.groups) "gid";
groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups; groupNames = lib.mapAttrsToList (n: g: g.name) cfg.groups;
usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users; usersWithoutExistingGroup = lib.filterAttrs (n: u: u.group != "" && !lib.elem u.group groupNames) cfg.users;
usersWithNullShells = attrNames (filterAttrs (name: cfg: cfg.shell == null) cfg.users);
spec = pkgs.writeText "users-groups.json" (builtins.toJSON { spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
inherit (cfg) mutableUsers; inherit (cfg) mutableUsers;
@ -910,12 +911,21 @@ in {
${lib.concatStringsSep "\n " (map mkConfigHint missingGroups)} ${lib.concatStringsSep "\n " (map mkConfigHint missingGroups)}
''; '';
} }
{
assertion = !cfg.mutableUsers -> length usersWithNullShells == 0;
message = ''
users.mutableUsers = false has been set,
but found users that have their shell set to null.
If you wish to disable login, set their shell to pkgs.shadow (the default).
Misconfigured users: ${lib.concatStringsSep " " usersWithNullShells}
'';
}
{ # If mutableUsers is false, to prevent users creating a { # If mutableUsers is false, to prevent users creating a
# configuration that locks them out of the system, ensure that # configuration that locks them out of the system, ensure that
# there is at least one "privileged" account that has a # there is at least one "privileged" account that has a
# password or an SSH authorized key. Privileged accounts are # password or an SSH authorized key. Privileged accounts are
# root and users in the wheel group. # root and users in the wheel group.
# The check does not apply when users.disableLoginPossibilityAssertion # The check does not apply when users.allowNoPasswordLogin
# The check does not apply when users.mutableUsers # The check does not apply when users.mutableUsers
assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin -> assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
any id (mapAttrsToList (name: cfg: any id (mapAttrsToList (name: cfg: